@tuskydp/cli 0.1.0 → 0.1.2

package/src/commands/account.ts

@@ -0,0 +1,82 @@
+import type { Command } from 'commander';
+import chalk from 'chalk';
+import { cliConfig, getApiUrl, getApiKey } from '../config.js';
+import { createSDKClient, AuthClient } from '../sdk.js';
+import { formatBytes } from '../lib/output.js';
+
+export function registerAccountCommands(program: Command) {
+  const account = program.command('account').description('Account management');
+
+  account.command('info')
+    .description('Show account info')
+    .action(async () => {
+      const apiUrl = getApiUrl(program.opts().apiUrl);
+      const apiKey = getApiKey(program.opts().apiKey);
+      const sdk = createSDKClient(apiUrl, apiKey);
+
+      const format = program.opts().format || cliConfig.get('outputFormat');
+      const acct = await sdk.account.get();
+
+      if (format === 'json') {
+        console.log(JSON.stringify(acct, null, 2));
+        return;
+      }
+
+      const usagePct = acct.storageLimitBytes > 0
+        ? ((acct.storageUsedBytes / acct.storageLimitBytes) * 100).toFixed(1)
+        : '0.0';
+      console.log(`Email:           ${acct.email}`);
+      console.log(`Plan:            ${acct.planName}`);
+      console.log(`Storage Used:    ${acct.storageUsedFormatted} / ${acct.storageLimitFormatted} (${usagePct}%)`);
+      console.log(`Encryption:      ${acct.encryptionSetupComplete ? chalk.green('Set up') : chalk.yellow('Not set up')}`);
+    });
+
+  account.command('plan')
+    .description('Show current plan and available upgrades')
+    .action(async () => {
+      const apiUrl = getApiUrl(program.opts().apiUrl);
+      const apiKey = getApiKey(program.opts().apiKey);
+      const sdk = createSDKClient(apiUrl, apiKey);
+      const authClient = new AuthClient(apiUrl);
+
+      const acct = await sdk.account.get();
+      const { plans } = await authClient.getPlans();
+      const currentTier = acct.planTier;
+
+      console.log(chalk.bold('Available Plans:\n'));
+      for (const plan of plans) {
+        const isCurrent = plan.tier === currentTier;
+        const prefix = isCurrent ? chalk.green('> ') : '  ';
+        const label = isCurrent ? chalk.green.bold(plan.displayName) : plan.displayName;
+        const price = plan.priceMonthly === 0 ? 'Free' : `$${(plan.priceMonthly / 100).toFixed(0)}/mo`;
+
+        console.log(`${prefix}${label} (${price})`);
+        console.log(`    Storage: ${formatBytes(plan.storageLimitBytes)}, Max file: ${formatBytes(plan.maxFileSizeBytes)}`);
+      }
+    });
+
+  account.command('usage')
+    .description('Show detailed usage breakdown')
+    .action(async () => {
+      const apiUrl = getApiUrl(program.opts().apiUrl);
+      const apiKey = getApiKey(program.opts().apiKey);
+      const sdk = createSDKClient(apiUrl, apiKey);
+
+      const acct = await sdk.account.get();
+      const vaults = await sdk.vaults.list();
+
+      console.log(chalk.bold('Storage Usage by Vault:\n'));
+      for (const v of vaults) {
+        const icon = v.visibility === 'private' ? '[private]' : '[public]';
+        console.log(`  ${v.name} ${icon} — ${v.fileCount} files, ${formatBytes(v.totalSizeBytes)}`);
+      }
+      console.log('');
+      console.log(`  Total: ${formatBytes(acct.storageUsedBytes)} / ${formatBytes(acct.storageLimitBytes)}`);
+    });
+
+  // Default action for `tuskydp account` with no subcommand
+  account.action(async () => {
+    // Run `info` subcommand
+    await account.commands.find(c => c.name() === 'info')?.parseAsync([], { from: 'user' });
+  });
+}

package/src/commands/auth.ts

@@ -0,0 +1,190 @@
+import type { Command } from 'commander';
+import chalk from 'chalk';
+import { cliConfig, getApiUrl, getApiKey } from '../config.js';
+import { createSDKClient, AuthClient } from '../sdk.js';
+import { createTable, formatDate } from '../lib/output.js';
+import { clearSession } from '../lib/keyring.js';
+
+export function registerAuthCommands(program: Command) {
+  program.command('signup')
+    .description('Create a new account')
+    .argument('<email>', 'Email address')
+    .argument('<password>', 'Password')
+    .requiredOption('--access-code <code>', 'Access code (required for signup)')
+    .option('--name <name>', 'Display name for the account')
+    .action(async (email: string, password: string, options) => {
+      const apiUrl = getApiUrl(program.opts().apiUrl);
+      const authClient = new AuthClient(apiUrl);
+
+      try {
+        const { user, accessToken } = await authClient.register(email, password, options.accessCode, options.name);
+        const keyResult = await authClient.createApiKeyWithJwt(accessToken, 'CLI Key');
+
+        cliConfig.set('apiKey', keyResult.apiKey);
+        cliConfig.set('apiUrl', apiUrl);
+
+        console.log(chalk.green(`✓ Account created: ${user.email}`));
+        console.log(chalk.dim(`API: ${apiUrl}`));
+        console.log('');
+        console.log(chalk.yellow('Save this API key — it will not be shown again:'));
+        console.log(chalk.bold(keyResult.apiKey));
+        console.log('');
+        console.log(chalk.dim('API key auto-saved to config. You\'re logged in.'));
+      } catch (err: any) {
+        console.error(chalk.red(`Signup failed: ${err.message}`));
+        process.exit(1);
+      }
+    });
+
+  program.command('login')
+    .description('Authenticate with TuskyDP')
+    .option('--api-key <key>', 'Authenticate with an existing API key')
+    .option('--email <email>', 'Email address for login')
+    .option('--password <password>', 'Password for login')
+    .action(async (options) => {
+      // Check both local and parent-level --api-key (Commander.js may assign to parent)
+      const apiKey = options.apiKey || program.opts().apiKey;
+      if (apiKey) {
+        const apiUrl = getApiUrl(program.opts().apiUrl);
+        try {
+          const sdk = createSDKClient(apiUrl, apiKey);
+          const account = await sdk.account.get();
+          cliConfig.set('apiKey', apiKey);
+          cliConfig.set('apiUrl', apiUrl);
+          console.log(chalk.green(`Authenticated as ${account.email} (${account.planName} plan)`));
+          console.log(chalk.dim(`API: ${apiUrl}`));
+          console.log(chalk.dim(`API key stored in config`));
+        } catch (err: any) {
+          console.error(chalk.red(`Authentication failed: ${err.message}`));
+          process.exit(1);
+        }
+        return;
+      }
+
+      if (options.email && options.password) {
+        const apiUrl = getApiUrl(program.opts().apiUrl);
+        const authClient = new AuthClient(apiUrl);
+        try {
+          const { accessToken } = await authClient.login(options.email, options.password);
+          const keyResult = await authClient.createApiKeyWithJwt(accessToken, 'CLI Key');
+
+          cliConfig.set('apiKey', keyResult.apiKey);
+          cliConfig.set('apiUrl', apiUrl);
+
+          console.log(chalk.green(`Authenticated as ${options.email}`));
+          console.log(chalk.dim(`API: ${apiUrl}`));
+          console.log('');
+          console.log(chalk.yellow('Save this API key — it will not be shown again:'));
+          console.log(chalk.bold(keyResult.apiKey));
+          console.log('');
+          console.log(chalk.dim('API key auto-saved to config. You\'re logged in.'));
+        } catch (err: any) {
+          console.error(chalk.red(`Login failed: ${err.message}`));
+          process.exit(1);
+        }
+        return;
+      }
+
+      console.log(chalk.yellow('Please provide credentials to log in.'));
+      console.log(chalk.dim('Use: tusky login --email <email> --password <password>'));
+      console.log(chalk.dim('  or: tusky login --api-key <key>'));
+    });
+
+  program.command('logout')
+    .description('Clear stored credentials and encryption session')
+    .action(() => {
+      cliConfig.delete('apiKey');
+      cliConfig.delete('defaultVault');
+      clearSession();
+      console.log(chalk.green('Logged out. Credentials and session cleared.'));
+    });
+
+  program.command('whoami')
+    .description('Show current user, plan, and storage usage')
+    .action(async () => {
+      const apiUrl = getApiUrl(program.opts().apiUrl);
+      const apiKey = getApiKey(program.opts().apiKey);
+      const sdk = createSDKClient(apiUrl, apiKey);
+
+      const account = await sdk.account.get();
+      console.log(`Email:        ${account.email}`);
+      console.log(`Plan:         ${account.planName} (${account.planTier})`);
+      console.log(`Storage:      ${account.storageUsedFormatted} / ${account.storageLimitFormatted}`);
+      console.log(`Encryption:   ${account.encryptionSetupComplete ? chalk.green('Set up') : chalk.yellow('Not set up')}`);
+      console.log(`Account ID:   ${chalk.dim(account.id)}`);
+    });
+
+  // API Key subcommands
+  const apiKeys = program.command('api-keys').description('Manage API keys');
+
+  apiKeys.command('list')
+    .description('List all API keys')
+    .action(async () => {
+      const apiUrl = getApiUrl(program.opts().apiUrl);
+      const apiKey = getApiKey(program.opts().apiKey);
+      const sdk = createSDKClient(apiUrl, apiKey);
+
+      const format = program.opts().format || cliConfig.get('outputFormat');
+      const keys = await sdk.apiKeys.list();
+
+      if (format === 'json') {
+        console.log(JSON.stringify(keys, null, 2));
+        return;
+      }
+
+      if (keys.length === 0) {
+        console.log(chalk.dim('No API keys found.'));
+        return;
+      }
+
+      const table = createTable(['Name', 'Prefix', 'Scopes', 'Last Used', 'Created']);
+      for (const k of keys) {
+        table.push([
+          k.name,
+          chalk.dim(k.keyPrefix + '...'),
+          k.scopes?.join(', ') || chalk.dim('all'),
+          k.lastUsedAt ? formatDate(k.lastUsedAt) : chalk.dim('never'),
+          formatDate(k.createdAt),
+        ]);
+      }
+      console.log(table.toString());
+    });
+
+  apiKeys.command('create <name>')
+    .description('Create a new API key')
+    .option('--scopes <scopes>', 'Comma-separated scopes')
+    .option('--vaults <vaults>', 'Comma-separated vault IDs')
+    .option('--expires <days>', 'Auto-expire after N days', parseInt)
+    .action(async (name: string, options) => {
+      const apiUrl = getApiUrl(program.opts().apiUrl);
+      const apiKey = getApiKey(program.opts().apiKey);
+      const sdk = createSDKClient(apiUrl, apiKey);
+
+      const result = await sdk.apiKeys.create({
+        name,
+        scopes: options.scopes?.split(','),
+        vaultIds: options.vaults?.split(','),
+        expiresInDays: options.expires,
+      });
+
+      console.log(chalk.yellow('Save this API key — it will not be shown again:'));
+      console.log('');
+      console.log(chalk.bold(result.apiKey));
+      console.log('');
+      console.log(`Name:    ${result.name}`);
+      console.log(`Prefix:  ${result.keyPrefix}`);
+      if (result.scopes) console.log(`Scopes:  ${result.scopes.join(', ')}`);
+      if (result.expiresAt) console.log(`Expires: ${new Date(result.expiresAt).toLocaleDateString()}`);
+    });
+
+  apiKeys.command('revoke <key-id>')
+    .description('Revoke an API key')
+    .action(async (keyId: string) => {
+      const apiUrl = getApiUrl(program.opts().apiUrl);
+      const apiKey = getApiKey(program.opts().apiKey);
+      const sdk = createSDKClient(apiUrl, apiKey);
+
+      await sdk.apiKeys.revoke(keyId);
+      console.log(chalk.green('API key revoked.'));
+    });
+}

package/src/commands/decrypt.ts

@@ -0,0 +1,276 @@
+/**
+ * `tusky decrypt` — Decrypt a file downloaded from Walrus.
+ *
+ * Works in two modes:
+ *   1. With --export <manifest.json> — reads wrappedKey/iv from the export
+ *      manifest, derives master key from passphrase + salt. Fully offline.
+ *   2. Without --export — fetches encryption params from the Tusky API and
+ *      looks up the file metadata by ID. Requires API access.
+ *
+ * In both modes, the passphrase is resolved from:
+ *   --passphrase flag > TUSKYDP_PASSWORD env var > interactive prompt
+ */
+
+import type { Command } from 'commander';
+import { readFileSync, writeFileSync, existsSync } from 'fs';
+import { resolve, basename } from 'path';
+import chalk from 'chalk';
+import inquirer from 'inquirer';
+import { getApiUrl, getApiKey } from '../config.js';
+import { createSDKClient } from '../sdk.js';
+import { createSpinner } from '../lib/progress.js';
+import { loadMasterKey } from '../lib/keyring.js';
+import {
+  deriveMasterKey,
+  verifyPassphrase,
+  unwrapMasterKey,
+  decryptBuffer,
+} from '../crypto.js';
+import type { ExportManifest, ExportedFile } from './export.js';
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Resolve the master key. Priority:
+ *   1. Session keyring (~/.tusky/session.enc)
+ *   2. Passphrase derivation (requires API or --salt/--encrypted-master-key)
+ */
+async function resolveMasterKey(options: {
+  passphrase?: string;
+  salt?: string;
+  verifier?: string;
+  encryptedMasterKey?: string;
+}): Promise<Buffer> {
+  // Try session keyring first
+  const sessionKey = loadMasterKey();
+  if (sessionKey) return sessionKey;
+
+  // Need passphrase
+  let passphrase = options.passphrase ?? process.env.TUSKYDP_PASSWORD;
+  if (!passphrase) {
+    const answers = await inquirer.prompt([{
+      type: 'password',
+      name: 'passphrase',
+      message: 'Enter encryption passphrase:',
+      mask: '*',
+    }]);
+    passphrase = answers.passphrase as string;
+  }
+
+  if (!options.salt) {
+    throw new Error('Cannot derive master key: salt is required. Use --export with an export manifest, or ensure the Tusky API is accessible.');
+  }
+
+  const salt = Buffer.from(options.salt, 'base64');
+  const wrappingKey = deriveMasterKey(passphrase, salt);
+
+  // Verify if we have a verifier
+  if (options.verifier) {
+    const verifierBuf = Buffer.from(options.verifier, 'base64');
+    if (!verifyPassphrase(wrappingKey, verifierBuf)) {
+      throw new Error('Invalid passphrase.');
+    }
+  }
+
+  // Unwrap master key if account has one
+  if (options.encryptedMasterKey) {
+    return unwrapMasterKey(Buffer.from(options.encryptedMasterKey, 'base64'), wrappingKey);
+  }
+
+  // Legacy: wrapping key IS the master key
+  return wrappingKey;
+}
+
+// ---------------------------------------------------------------------------
+// Command registration
+// ---------------------------------------------------------------------------
+
+export function registerDecryptCommand(program: Command) {
+  program
+    .command('decrypt <encrypted-file>')
+    .description('Decrypt a file downloaded from Walrus using your encryption passphrase')
+    .option('-o, --output <path>', 'Output path for decrypted file')
+    .option('--file-id <id>', 'Tusky file ID (to look up wrappedKey/iv from API)')
+    .option('--export <path>', 'Path to tusky-export.json manifest (for offline decryption)')
+    .option('--passphrase <passphrase>', 'Encryption passphrase (also reads TUSKYDP_PASSWORD env var)')
+    .option('--wrapped-key <key>', 'Per-file wrapped key (base64, from export manifest)')
+    .option('--iv <iv>', 'Per-file encryption IV (base64, from export manifest)')
+    .option('--checksum <sha256>', 'Expected plaintext SHA-256 checksum (hex)')
+    .action(async (encryptedFile: string, options: {
+      output?: string;
+      fileId?: string;
+      export?: string;
+      passphrase?: string;
+      wrappedKey?: string;
+      iv?: string;
+      checksum?: string;
+    }) => {
+      const spinner = createSpinner('Preparing decryption...');
+      spinner.start();
+
+      try {
+        // Resolve the encrypted file
+        const inputPath = resolve(encryptedFile);
+        if (!existsSync(inputPath)) {
+          spinner.fail(`File not found: ${inputPath}`);
+          return;
+        }
+
+        let wrappedKey: string;
+        let iv: string;
+        let checksum: string | undefined = options.checksum;
+        let fileName: string = basename(inputPath).replace(/\.enc$/, '');
+        let encryptionParams: { salt?: string; verifier?: string; encryptedMasterKey?: string } = {};
+
+        // ── Mode 1: Export manifest ──────────────────────────────────
+        if (options.export) {
+          spinner.text = 'Reading export manifest...';
+          const manifestPath = resolve(options.export);
+          if (!existsSync(manifestPath)) {
+            spinner.fail(`Export manifest not found: ${manifestPath}`);
+            return;
+          }
+
+          const manifest: ExportManifest = JSON.parse(readFileSync(manifestPath, 'utf-8'));
+          let exportedFile: ExportedFile | undefined;
+
+          if (options.fileId) {
+            exportedFile = manifest.files.find((f) => f.fileId === options.fileId);
+          } else {
+            // Try to match by filename
+            const inputBase = basename(inputPath);
+            exportedFile = manifest.files.find((f) =>
+              f.name === inputBase || f.name === fileName,
+            );
+
+            if (!exportedFile && manifest.files.length === 1) {
+              exportedFile = manifest.files[0];
+            }
+          }
+
+          if (!exportedFile) {
+            spinner.fail(
+              options.fileId
+                ? `File ID ${options.fileId} not found in export manifest.`
+                : `Could not match "${basename(inputPath)}" to a file in the export manifest. Use --file-id to specify.`,
+            );
+            return;
+          }
+
+          if (!exportedFile.encrypted) {
+            spinner.fail(`File "${exportedFile.name}" is not encrypted (public vault). No decryption needed.`);
+            return;
+          }
+
+          if (!exportedFile.wrappedKey || !exportedFile.encryptionIv) {
+            spinner.fail(`File "${exportedFile.name}" is missing encryption metadata in the export.`);
+            return;
+          }
+
+          wrappedKey = exportedFile.wrappedKey;
+          iv = exportedFile.encryptionIv;
+          checksum = checksum ?? exportedFile.plaintextChecksumSha256 ?? undefined;
+          fileName = exportedFile.name;
+
+          // Read account-level encryption params from manifest
+          if (manifest.encryption) {
+            encryptionParams = {
+              salt: manifest.encryption.salt ?? undefined,
+              verifier: manifest.encryption.verifier ?? undefined,
+              encryptedMasterKey: manifest.encryption.encryptedMasterKey ?? undefined,
+            };
+          }
+
+        // ── Mode 2: Direct flags ─────────────────────────────────────
+        } else if (options.wrappedKey && options.iv) {
+          wrappedKey = options.wrappedKey;
+          iv = options.iv;
+
+        // ── Mode 3: Fetch from API ───────────────────────────────────
+        } else if (options.fileId) {
+          spinner.text = 'Fetching file metadata from API...';
+          const apiUrl = getApiUrl(program.opts().apiUrl);
+          const apiKey = getApiKey(program.opts().apiKey);
+          const sdk = createSDKClient(apiUrl, apiKey);
+
+          const file = await sdk.files.get(options.fileId);
+          if (!file.encrypted) {
+            spinner.fail('This file is not encrypted. No decryption needed.');
+            return;
+          }
+          if (!file.wrappedKey || !file.encryptionIv) {
+            spinner.fail('File is missing encryption metadata.');
+            return;
+          }
+
+          wrappedKey = file.wrappedKey;
+          iv = file.encryptionIv;
+          checksum = checksum ?? file.plaintextChecksumSha256 ?? undefined;
+          fileName = file.name;
+
+          // Also fetch encryption params for master key derivation
+          const params = await sdk.account.getEncryptionParams();
+          encryptionParams = {
+            salt: params.salt ?? undefined,
+            verifier: params.verifier ?? undefined,
+            encryptedMasterKey: params.encryptedMasterKey ?? undefined,
+          };
+
+        } else {
+          spinner.fail(
+            'Need encryption metadata. Use one of:\n' +
+            '  --export <manifest.json>          (offline, from tusky export)\n' +
+            '  --file-id <id>                    (online, fetches from API)\n' +
+            '  --wrapped-key <key> --iv <iv>     (manual, base64 values)',
+          );
+          return;
+        }
+
+        // If we don't have encryption params yet, try API
+        if (!encryptionParams.salt) {
+          try {
+            const apiUrl = getApiUrl(program.opts().apiUrl);
+            const apiKey = getApiKey(program.opts().apiKey);
+            const sdk = createSDKClient(apiUrl, apiKey);
+            const params = await sdk.account.getEncryptionParams();
+            encryptionParams = {
+              salt: params.salt ?? undefined,
+              verifier: params.verifier ?? undefined,
+              encryptedMasterKey: params.encryptedMasterKey ?? undefined,
+            };
+          } catch {
+            // API unavailable — that's ok if we have a session key
+          }
+        }
+
+        // Resolve master key
+        spinner.text = 'Deriving encryption key...';
+        const masterKey = await resolveMasterKey({
+          passphrase: options.passphrase,
+          ...encryptionParams,
+        });
+
+        // Read and decrypt
+        spinner.text = 'Decrypting...';
+        const ciphertext = readFileSync(inputPath);
+        const plaintext = decryptBuffer(ciphertext, wrappedKey, iv, masterKey, checksum);
+
+        // Write output
+        const outputPath = options.output ? resolve(options.output) : resolve(fileName);
+        writeFileSync(outputPath, plaintext);
+
+        spinner.succeed(`Decrypted -> ${outputPath} (${plaintext.length} bytes)`);
+
+        if (checksum) {
+          console.log(chalk.dim('  Integrity check passed (SHA-256)'));
+        }
+      } catch (err: any) {
+        spinner.fail(`Decryption failed: ${err.message}`);
+        if (err.message.includes('Unsupported state') || err.message.includes('auth tag')) {
+          console.log(chalk.dim('  This usually means the passphrase is incorrect or the file is corrupted.'));
+        }
+      }
+    });
+}

package/src/commands/download.ts

@@ -0,0 +1,82 @@
+import type { Command } from 'commander';
+import { writeFileSync } from 'fs';
+import { join } from 'path';
+import chalk from 'chalk';
+import { getApiUrl, getApiKey } from '../config.js';
+import { createSDKClient } from '../sdk.js';
+import { formatBytes } from '../lib/output.js';
+import { createSpinner } from '../lib/progress.js';
+import { decryptBuffer } from '../crypto.js';
+import { loadMasterKey } from '../lib/keyring.js';
+
+export async function downloadCommand(fileId: string, options: {
+  output?: string;
+}, program: Command) {
+  const apiUrl = getApiUrl(program.opts().apiUrl);
+  const apiKey = getApiKey(program.opts().apiKey);
+  const sdk = createSDKClient(apiUrl, apiKey);
+  const spinner = createSpinner('Fetching file info...');
+  spinner.start();
+
+  try {
+    // Get download URL and encryption metadata
+    let dlResponse = await sdk.files.getDownloadUrl(fileId);
+    let { downloadUrl, status, encryption } = dlResponse;
+
+    if (status === 'rehydrating') {
+      spinner.text = 'File is being retrieved from Walrus. Polling...';
+      for (let i = 0; i < 30; i++) {
+        await new Promise(r => setTimeout(r, 2000));
+        const check = await sdk.files.getDownloadUrl(fileId);
+        if (check.status === 'ready') {
+          downloadUrl = check.downloadUrl;
+          encryption = check.encryption;
+          status = 'ready';
+          break;
+        }
+      }
+      if (status !== 'ready') {
+        spinner.fail('File rehydration timed out. Try again later.');
+        return;
+      }
+    }
+
+    if (!downloadUrl) {
+      spinner.fail('No download URL available.');
+      return;
+    }
+
+    // Download
+    spinner.text = 'Downloading...';
+    const response = await fetch(downloadUrl);
+    if (!response.ok) throw new Error(`Download failed: ${response.status}`);
+    const arrayBuf = await response.arrayBuffer();
+    let fileBuffer: Buffer = Buffer.from(new Uint8Array(arrayBuf));
+
+    // Decrypt if needed
+    if (encryption?.encrypted) {
+      spinner.text = 'Decrypting...';
+      const masterKey = loadMasterKey();
+      if (!masterKey) {
+        spinner.fail('Encryption session not unlocked. Run: tusky encryption unlock');
+        return;
+      }
+      fileBuffer = decryptBuffer(
+        fileBuffer,
+        encryption.wrappedKey!,
+        encryption.iv!,
+        masterKey,
+        encryption.plaintextChecksumSha256 ?? undefined,
+      );
+    }
+
+    // Write to disk — use getStatus to get filename
+    const fileInfo = await sdk.files.getStatus(fileId);
+    const outputPath = options.output || join(process.cwd(), fileInfo.name);
+    writeFileSync(outputPath, fileBuffer);
+
+    spinner.succeed(`Downloaded -> ${outputPath} (${formatBytes(fileBuffer.length)})`);
+  } catch (err: any) {
+    spinner.fail(`Download failed: ${err.message}`);
+  }
+}